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(54) HOME NETWORK SYSTEM 



(57) A home network system that makes it possible 
to build a network with assured security, wherein net- 
work users need not have security expertise. For access 
attempts offered from a home node 21-1 in a community 
area network 5-1 toward an outside public network 1 
through a path N2, a security server 11-1 need not ex- 
ecute an authentication process. The home node 21-1 



rejects access attempts directly transferred from the 
public network 1 . The security server 11-1 executes the 
authentication process for an access attempt trans- 
ferred from the public network 1 through a path N42. 
When the authentication is successful, connection of the 
access attempt to the home node 21-1 through a path 
N9 is permitted. 
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Description 

Technical Field 

[0001] The present invention relates to a home net- 
work system. 

Background Art 

[0002] In the past, since it was seldom that general 
network service users at home keep their machine con- 
necting to a public network all the time, they were little 
conscious of network security. 

[0003] Conventionally, corporate network security 
management has been performed, using firewalls or the 
like. 

[0004] It is substantially impossible for general home 
users to provide their machine or system with a firewall 
and carry out firewall operation and maintenance for 
which a lot of technical expertise is required 
[0005] If general household computers and equip- 
ment keep connecting to a public network all the time 
without being protected by a firewall, it is easy for a third 
party to intrude into the intra-home network. Conse- 
quently, there is a possibility that secret information such 
as a password, credit ID and ID for electronic commerce 
(EC) be stolen. 

[0006] Even when general household computers and 
equipment keep connecting to a public network all the 
time via a router, filtering can be performed, but personal 
authentication or the like must be performed separately. 
Because building an authentication system requires 
technical expertise, it is substantially impossible for gen- 
eral home users to use authentication management. 
[0007] When a cellular mobile device operating out- 
doors is accessing a network device installed in a home, 
the absence of an authentication system is a bottleneck 
of security, so that it will be impossible to remotely op- 
erate a crime prevention and security system and down- 
load data from a server in the home. 
[0008] Telephonic communication via networks using 
Voice over IP (VoIP) or the like is normally arranged 
such that a subscriber calls another subscriber connect- 
ing to a connection server except intra-corporate use 
thereof. The subscriber, however, cannot call another 
subscriber that is not connecting to the connection serv- 
er, which is different from general telephony systems in 
which calling another subscriber by dialing its telephone 
number makes the connection thereto. 
[0009] At the present, when connecting computers 
and equipment to a public network such as the Internet 
all the time, a connection device such as a router is used 
for filtering and connection control or a firewall is in- 
stalled on a large scale. In this case, because individual 
devices in a network are concealed, receiving push-type 
information distribution is generally difficult, requiring 
knowledge of networking. 



Disclosure of the Invention 

[0010] In view of the above network usage situation 
of general users, the object of the present invention is 
5 to allow even general users who are not familiar with 
security expertise to communicate with the outside 
world with assured security that is provided in a simple 
and dependable way. 

[001 1] In one implementation of the present invention, 
10 a home network system including first and second net- 
works is provided. The network system comprises de- 
tection means for detecting the direction of access be- 
tween the first network and the second network; storage 
means for storing information required for executing an 
15 authentication process; authentication means for exe- 
cuting the authentication process, based on the infor- 
mation stored in the storage means, when the detection 
means has detected an access attempt in the direction 
from the first network toward the second network; and 
20 control means for controlling connection of an access 
attempt from the first network toward the second net- 
work, according to the result of authentication executed 
by the authentication means. 

[0012] The authentication means can be configured 
25 not to execute the authentication process when the de- 
tection means has detected an access attempt in the 
direction from the second network toward the first net- 
work. 

[001 3] The control means can be configured to control 

30 connection, using VPN. 

[0014] The second network can be configured to ac- 
commodate a plurality of home nodes of individual net- 
works formed inside each home. 
[0015] The individual networks formed inside each 

35 home can be configured to include Ethernet or 
IEEE1394. 

[0016] The authentication means can be configured 
to execute the authentication process, using a tele- 
phone number or a device ID obtained from a wireless 
40 mobile device. 

[0017] The storage means can be configured to fur- 
ther store information required for push-type distribution 
of information received across said first network to the 
home nodes over said second network. 
45 [0018] The information to be distributed by the push- 
type distribution includes advertising or public relations, 
information from a government office, disasters informa- 
tion, or emergency information. 
[0019] In another implementation of the present in- 
50 vention, a connection control method in a home network 
system including first and second networks is provided. 
The connection control method comprises the steps of 
detecting the direction of access between the first net- 
work and the second network; storing beforehand infor- 
55 mation required for executing a authentication process; 
executing the authentication process, based on the in- 
formation thus stored, upon the detection of an access 
attempt in the direction from the first network toward the 
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second network; and controlling connection of an ac- 
cess attempt from the first network toward the second 
network, according to the result of authentication. 
[0020] Under a home node included in the network 
system of the present invention, a network system is 5 
built in which intra-home computers and equipment are 
interconnected. In this network system, a bridge or the 
like is used to connect networks of different physical lay- 
ers, running different protocols, so that inter-network 
communication can be performed. 
[0021] The home node can be embodied in a device 
such as a router that is capable of routing and filtering 
data to be communicated and can be configured to be 
able to keep connecting to the outside network all the 
time. 

[0022] By adding a connection control to the above 
device, the node can be configured to be able to keep 
connecting to the outside network all the time. 
[0023] The above device can be configured to have 
the functions of controlling connection from the outside 
and enabling connection from a reliable device, using a 
VPN technique or the like. 

[0024] A community area network included in the 
present invention is formed to accommodate a plurality 
of nodes at homes (including condominiums, apartment 
houses, etc.) or in a residential area. A wide area com- 
munity network included in the present invention is com- 
prised of a plurality of community area networks. 
[0025] The network system of the present invention 
can be configured to include servers for diverse services 
such as a content distribution mirror server and an ad- 
vertising distribution server, and moreover, a security 
server for maintaining security. 

[0026] In the wide area community network included 
in the present invention, the security server executes us- 
er authentication for connection attempts from the public 
network and sets up connection to the target node such 
as the router or gateway of the intra-home network of 
the user, using the VPN technique or the like. 
[0027] In the wide area community network included 
in the present invention, when a connection attempt is 
offered from a mobile terminal device such as a cellular 
phone or PDA via the public network, the device identi- 
fying information such as the telephone number and the 
device ID is transferred to the security server where the 
information is then used for user authentication. 
[0028] In a community area network of certain cover- 
age in the wide area community network included in the 
present invention, the security server supervises and 
records traffic and the statuses of the connection devic- 
es such as the routers, and issues an alarm in case of 
a trouble occurring and performs troubleshooting and 
analysis, thereby ensuring security. 



Brief Description of the Drawings 
[0029] 

FIG. 1 is a block diagram showing a network system 
to which the present invention is applied. 
FIG. 2 is a block diagram showing an exemplary 
structure of an intra-home network. 
FIG. 3 is a block diagram showing another exem- 
plary structure of an intra-home network. 
FIG. 4 is a flowchart explaining a connection proce- 
dure to be executed by a security server. 
FIG. 5 is a flowchart explaining an access handling 
procedure to be executed by a router. 
FIG. 6 is a block diagram showing a wide area com- 
munity network to which the present invention is ap- 
plied. 

FIG. 7 is a diagram explaining a communication 
procedure. 

Best Mode for Carrying Out the Invention 

[0030] FIG. 1 shows a basic exemplary structure of a 
network system to which the present invention is ap- 
plied. 

[0031] In the network system configured as shown in 
FIG. 1 , a public network 1 such as, typically, the Internet, 
and a distribution server for distributing content or the 
like are connected by paths N101 and N 102 and a wire- 
less mobile device 3 such as a cellular phone or a Per- 
sonal Digital Assistant (PDA) is connected to the public 
network 1 via a carrier gateway 4, using paths N141, 
N142, N151, and N152. 

[0032] A community area network 5-1 which is includ- 
ed in the system as an inward network may be formed, 
depending on a geographical area to cover a residential 
area, condominiums, or apartment houses, or formed in 
a geographically independent network provided by an 
Internet Service Provider (ISP). 

[0033] In the community area network 5-1 , a security 
server 11-1 for providing and maintaining security and 
a distribution mirror server 13-1 for distributing content 
in high-quality mode inward the community area net- 
work 5-1 are installed, together with a database 12-1 for 
retaining authentication data and profiles for obtaining 
access to a home node. 

[0034] The distribution mirror server 1 3-1 cashes and 
mirrors content delivered from the distribution server 2 
to be distributed inward the community area network 
5-1. 

[0035] The distribution mirror server 13-1 may be un- 
necessary in the community area network 5-1 , accord- 
ing to the communication line usage conditions of the 
network 5-1 . 

[0036] When the security server 11-1 receives a re- 
quest for access to any home node in the community 
area network 5-1 , transferred across the pubic network 
1 and through a path N42, the server 11-1 authenticates 
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the device that issued the access request by comparing 
the device ID (its unique ID, telephone number, etc.) and 
a password with the corresponding data within the da- 
tabase 12-1, thus determining whether the device can 
obtain the access. 5 
[0037] In the network system example shown in FIG. 
1 , another community area network 5-2 of the same 
structure as the community area network 5-1 is also con- 
nected to the public network 1 . 

[0038] When a home node is accessing the distribu- 
tion server 2 via the public network 1 , the connection 
between the home node and the distribution server is 
made as follows. For example, a home node 21-1 is con- 
nected to the public network 1 by a path N2 and then 
connected to the distribution server 2 by a path N101 
from the public network 1 thereto. Accordingly, the se- 
curity server 1 1 is not used substantially for access from 
the community area network 5-1 to the external (even if 
it is used, authentication need not be performed). 
[0039] After the above connection is made, if packets 
are transmitted by, for example, Transmission Control 
Protocol/Internet Protocol (TCP/IP), the first packet in- 
cludes the SYN bit that is set and the ACK bit that is 
reset. 

[0040] Reply from the distribution server 2 is sent 
across the path N102, pubic network 1, and path 3 to 
the home node 21-1. 

[0041] For reply packets transferred by, for example, 
TCP/IP, the SYN bit is set and the ACK bit is set. 
[0042] Thereafter, for packets to be communicated 
through the established connection, the ACK bit is set. 
[0043] Unless the home node 21-1 initiates commu- 
nication, packets from the public network 1 first passes 
across the path N3 to the home node 21-1 and its first 
packet includes the SYN bit that is set and the ACK bit 
that is reset when communication begins. 
[0044] On the home node 21-1, there is a router 61 
(which is included in FIG. 2 to be described later) that 
can determine which is the home node 2 1 - 1 or the public 
network 1 that is the origin of the flow of packets to be 
communicated, according to the direction of transfer 
(destination address) of the first packet including the 
ACK bit that is reset. 

[0045] When the router 61 determines that access to 
the home node 21-1 is attempted from the public net- 
work 1 , it can reject intrusion from the public network 1 
by rejecting the connection. 

[0046] When a user authorized to access the home 
node 21-1 attempts to access the home node 21-1 from 
the outside, carriers are first transmitted from the wire- 
less mobile device 3 such as a portable phone or PDA 
via a radio channel path N 152 to the carrier gateway 4 
and the communication channel is thus set up. 
[0047] At the carrier gateway 4, a protocol conversion 
process is performed to enable communication over the 
public network 1 . The wireless mobile device is connect- 
ed to the public network 1 by a path N141 and then con- 
nected to the security server 11-1 by a path N42. 



[0048] As described above, the security server 11-1 
authenticates the wireless mobile device 3, based on its 
device ID and a password. When the authentication is 
successful, the wireless mobile device is connected to 
the node to terminate, for example, the home node 21 -1 , 
through a path N9, according the profile stored in the 
database 1 2-1 , wherein a Virtual Private Network (VPN) 
technique or the like is used. 

[0049] The home node 21-1 (router 61) permits the 
connection only when the reliable security server 11-1 
requests it to make the connection, using the VPN tech- 
nique or the like, and the connection is established by 
the path N9. 

[0050] In the above-described manner, connection 
from a device operating outside to the home node 21-1 
can be made. 

[0051] When information is distributed by push-type 
distribution, it is sent from the distribution server 2 
across the path N102, public network 1 , and path N 42 
to the security server 11-1. 

[0052] The security server 11-1 determines whether 
the information is to be distributed, according to pre-reg- 
istered information in the database 12-1. If the informa- 
tion is to be distributed, it is distributed to the home 
nodes and equipments, using the VPN technique or the 
like, based on the information arranged for distribution 
or the pre-registered information in the database 12-1. 
In this way, localized advertising, or public relations, in- 
formation from a government office, emergency infor- 
mation, disasters information, etc. can be distributed by 
push-type distribution. For this purpose, in the database 
12-1, information required for the security server to de- 
termine whether to permit push-type distribution must 
be registered beforehand. 

[0053] In the community area network 5-1, in princi- 
ple, connection between the home nodes, for example, 
the home node 21-1 and the home node 22-2, must not 
be made for communication. 

[0054] Therefore, each home node (router 61) need 
to reject connection from other home nodes in the same 
community area network 5-1, for example, connection 
by a path N12 (for communication between the home 
node 21-1 and the home node 22-1) and a path N11 (for 
communication between the home node 21-1 and the 
home node 23-1) for access attempts for communica- 
tion from the external, as for access attempts from the 
public network 1 . 

[0055] However, there is exception. Assume that, for 
example, for the home node 22-1 and the home node 
23-1, the other node address is appointed as the ad- 
dress to contact in case of emergency. When the home 
node 22-1 transmits emergency information to the se- 
curity server 11-1 , the security server 11-1 connects to 
the home node 23-1, using the VPN technique or the 
like, based on the information registered in the database 
12-1 , and sends the emergency information to the home 
node 23-1 and specified equipment by push-type distri- 
bution. 
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[0056] In this way, mutual assistance in case of emer- 
gency is made possible in the community area network 
5-1. 

[0057] FIG. 2 shows a basic exemplary structure of 
an intra-home network formed under one of the home 
nodes constituting the community area network 5-1 or 
5-2 in FIG. 1. 

[0058] For example, a path N 21 forming part of the 
intra-home network, is connected to the public network 
1 and the security server 11-1 via the router 61 and 
across the path N 20. 

[0059] The router 61 is provided with a fundamental 
filtering function by set conditions of address, port, input/ 
output, etc., and implements the above-described filter- 
ing function, a function of receiving connection requests 
only from a specific reliable device (the security server 
11-1 in the example case of FIG. 1), and a tunneling 
function such as VPN. 

[0060] Furthermore, the router 61 has an address/ 
port translation function, a Quality of Service (QoS) 
function if it can handle streaming, a HUB function if nec- 
essary, and device discovery functions such as Domain 
Name System (DNS) and Dynamic Host Configuration 
Protocol (DHCP). 

[0061] The path N21 is a high-speed network part 
serving as an intra-home backbone, for example, Eth- 
ernet (a trademark) or the like is used for this path. 
[0062] The path N21 as the high-speed network part 
is provided with a VoIP function. To the path N21, the 
following are connected: a telephone (TEL) 62 that en- 
ables communication via the networks; a server 63 for 
recording, reproducing, and redistributing streams and 
data; a video cassette recorder (VCR) 64 that records 
streams and data on tape or disk media, reproduces 
them therefrom, and redistributes them; an audio device 
65 that receives streaming audio or network radio 
broadcasting and redistributes it; a game device 66 that 
supports games to play across people joined in via the 
network; a digital television receiver (DTV) 67 that re- 
ceives streaming broadcasts and displays pictures; a 
personal computer (PC) 68; and so on. 
[0063] A path N22 forms a low-speed part of the intra- 
home network. To the path N22, the following are con- 
nected: a security sensor 71 for prevention of crime and 
fire; electrically operated installations 72 such as a hot 
water supply system, lighting, and a power feed system; 
and an actuator controller 73 for controlling door lock/ 
unlock and other mechanisms using an actuator; and so 
on. 

[0064] The above equipment and installations are 
connected to the path N21 as the high-speed network 
part by a bridge 70 and the bridge 70 executes protocol 
conversion, physical medium conversion, and the like. 
[0065] FIG. 3 shows another exemplary structure of 
an intra-home network formed under one of the home 
nodes constituting the community area network 5-1 or 
5-2 in FIG. 1. In this example, a specialized network 
such as, for example, IEEE 1394, directed to a specific 



use is further connected to the network shown in FIG. 2. 
[0066] A path N33 forms a network for an AV system; 
the network is embodied in, for example, IEEE1394. A 
path N31 serves as an intra-house backbone as the path 

5 N21 does, and is embodied in, for example, Ethernet. 
[0067] The path N33 is connected to the path N31 by 
a bridge 91 and the bridge 91 executes protocol conver- 
sion, physical medium conversion, and the like between 
the path N33 and the path N 31. 

w [0068] By applying this manner of connecting different 
kinds of networks via a bridge, an intra-house network 
can flexibly be adapted to advanced technology. 
[0069] The security server 11-1 executes a connec- 
tion procedure that is summarized in a flowchart shown 

15 in FIG. 4. In step S 11, the security server 11-1 detects 
the direction of access. That is, the server detects an 
access attempt that is offered in the direction from the 
community area network 5-1 toward the public network 
1 or in the reverse direction from the public network 1 

20 toward the community area network 5-1 (access inward 
from the outside) . According to the direction detected 
in the step S11, the security server 11-1 determines 
whether the access attempt is offered inward from the 
outside in step S12. If the access attempt is offered in- 

25 ward from the outside, the security server 11-1 goes to 
step S13 and executes the above-described authenti- 
cation process. For authentication, for example, the tel- 
ephone number and device ID obtained from the wire- 
less mobile device 3 that offered the access attempt are 

30 compared with the corresponding data registered in the 
database 12-1 as described above. 
[0070] In step S14, the security server 11-1 deter- 
mines whether the authentication is successful. If the 
authentication is successful, the security server 11-1 

35 goes to step S1 5 and executes the connection process. 
That is, the security server 11-1 executes processing for 
connecting the external device that offered the access 
attempt over the public network 1 to a home node 21-1 
and equipment. This processing corresponds to the 

40 connection setup with the paths N42 and N9. 

[0071] If the authentication is unsuccessful in the step 

514 , the security server 11-1 goes to step S16 and re- 
jects connection. 

[0072] If, at the step S1 2, it is determined that the ac- 
45 cess attempt is offered from inward to the outside, the 
security server 11-1 skips the step S13, goes to the step 

515, and immediately executes the connection process. 
This processing corresponds to the connection setup 
with the path N2. 

50 [0073] The router 61 executes an access handling 
procedure that is summarized in a flowchart shown in 
FIG. 5. 

[0074] In step S31 , the router 61 determines whether 
the home equipment is offering an access attempt. If the 
55 home equipment is offering an access attempt, the rout- 
er not receiving an access attempt to the equipment, the 
router 61 goes to step S32 and determines whether the 
home equipment is offering the access attempt toward 



5 



9 



EP 1 293 908 A1 



10 



the outside. If the home equipment is offering the access 
attempt toward the outside, the router 61 goes to step 
S33 and routes the access attempt to its destination. 
This processing corresponds to routing the access at- 
tempt through the path N2, for example. 
[0075] If, at the step S32, it is determined that the 
home equipment is offering the access attempt toward 
another node within the community area network, the 
router 61 goes to step S34 and rejects the access at- 
tempt. This processing corresponds to the rejection of 
access through the path N11 , for example. 
[0076] If, at the step S31 , it is determined that the rout- 
er is receiving an access attempt to the home equip- 
ment, the router 61 goes to step S35 and determines 
whether the access attempt has been transferred from 
the security server 11-1 . If the access attempt has been 
transferred from the security server 11-1, the router 61 
goes to step S36 and accepts the access attempt. This 
access attempt corresponds to the access attempt car- 
ried across the path N 42 and the path N9, for example. 
[0077] If, at the step S35, it is determined that the rout- 
er receives the access attempt not transferred from the 
security server 11-1 , the router 61 goes to step S37 and 
rejects the access attempt. This access attempt corre- 
sponds to the access attempt carried across the path 
N3, for example. 

[0078] FIG. 6 represents another network system ex- 
ample wherein a wide area community network 1 1 1 cov- 
ering a larger area is used as an inward network. The 
wide area community network 1 1 1 is comprised of a plu- 
rality of community area networks 5-1 to 5-n. A database 
12, a security server 11 , and a distribution mirror server 
13 are shared across the plurality of community area 
networks 5-1 to 5-n. 

[0079] FIG. 7 represents yet another network system 
example wherein a telephone number conversion and 
routing server 1 21 is incorporated into the system struc- 
ture so that telephone users can easily take advantage 
of VoIP telephonic communication via networks. 
[0080] Normally, the VoIP requires telephone users to 
specify an IP address by which a communication path 
is established to connect a call. However, IP addresses 
are hard to remember and not generally pervaded for 
telephony and they change, according to the connection 
mode. Thus, ITU-T E. 164 or the like is used. 
[0081] In FIG. 7, when a VoIP-compliant telephone 66 
connected to the home node 21-1 offers a call attempt 
to a similar telephone connected to the home node 23-1 
by entering the telephone number, the call attempt is 
transferred across a path N52, the public network 1 , and 
a path N561 to the telephone number conversion and 
routing server 121 . On this server, call connection setup 
processing is executed. 

[0082] The telephone number conversion and routing 
server 121 translates the telephone number into IP ad- 
dress, based on the mapping information registered in 
its database 122. Then, the server 121 connects the call 
attempt to the VoIP-compliant telephone connected to 



the home node 23-1 via a path N562, the public network 
1, a path N522, the security server 11-1, and a path 
N510. 

[0083] In this case, the security server 11-1 retrieves 
s information about the VoIP-compliant telephone con- 
nected to the home node 23-1 from the database 12-1 
and sends back a reply as a proxy for the VoIP-compli- 
ant telephone connected to the home node 23-1 . 
[0084] In environment where IP addresses change, it 
10 is necessary to provide means for dynamically updating 
the mapping between a telephone number and an IP 
address registered on the database of the telephone 
number conversion and routing server 121 from a VoIP- 
compliant telephone or its proxy. 
15 [0085] As explained in the described embodiments, 
the security server 1 1 , database 1 2, and distribution mir- 
ror server 13 are provided per community area network 
5 or wide area community network 111 which is an in- 
ward network, so that each home node can keep con- 
necting to the outside network all the time with security 
assured, wherein users at home need not take security 
measures separately, based on technical expertise 
thereof. 

[0086] Accordingly, the present invention is applica- 
ble to building a network that makes it possible to offer 
the following services: 

(1 ) Security-related service 

[0087] Information: Network security service without 
requiring network service users at home to provide their 
machine and system with a firewall. 
[0088] Crime prevention: The following service is im- 
plemented. Should an abnormal event in view of crime 
prevention be detected, notification thereof is automat- 
ically transmitted to the appointed address or number to 
contact and a police box, a police station, and the like 
in the community. 

[0089] Safety: Mutual assistance service in a commu- 
nity. Trouble of emergency happened in a home (should 
gas leaking or a fire be detected or in case of sudden 
illness) is reported to the appointed neighboring home 
node(s) and equipment(s). 

(2) Access service from outdoors 

[0090] Secure connection service from a mobile ter- 
minal such as a portable phone or PDA operating out- 
doors to the home node. 

(3) VoIP telephony service 

[0091] Network-oriented telephony service in which 
VoIP is easier to use. By telephone number to IP ad- 
dress conversion and the security server's proxy func- 
tion, call connection across networks can be made by 
specifying a telephone number. 
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(4) Advertising or public relations distribution service 

[0092] A service of distributing localized advertising 
or public relations by push-type distribution, using the 
distribution mirror server in the community network. 

(5) Information service from a government office 

[0093] A service of distributing information from a gov- 
ernment office and disasters information such as emer- 
gency warning or alerts by push-type distribution. 

Industrial Applicability 

[0094] Even when general household computers and 
equipment keep connecting to a public network such as 
the Internet all the time, users can take advantage of 
security-assured network environment without being 
conscious of security and learning security expertise. 
[0095] By providing security-assured access environ- 
ment for access using a mobile terminal such as a cel- 
lular phone or PDA operating outdoors to an intra-home 
network, remote supervision and operation of intra- 
home computers and equipment and communication 
with them can be performed. Communication can be 
used for measures for crime prevention, safety, and 
emergency such as sudden illness and seamless trans- 
mission of kinds of data can be carried out. 
[0096] By defining network coverage such as a com- 
munity area network, the network situation or state can 
easily be grasped and stable system operation and se- 
curity can be assured. 

[0097] By permitting connection through a specific 
path from a security server or the like, remote setting 
and maintenance of a connection device such a router 
can be performed with security maintained. 
[0098] In the same manner as described above, re- 
mote maintenance of an intra-home network device or 
the like can be performed with security maintained. 

Claims 

1. A home network system, including a second inward 
network connecting to a first outside network, said 
network system comprising: 

detection means for detecting the direction of 
access between said first network and said sec- 
ond network; 

storage means for storing information required 
for executing an authentication process; 
authentication means for executing the authen- 
tication process, based on the information 
stored in said storage means, when said detec- 
tion means has detected an access attempt in 
the direction from said first network toward said 
second network; and 



control means for controlling connection of an 
access attempt from said first network toward 
the second network, according to the result of 
authentication executed by said authentication 
5 means. 

2. The home network system as recited in claim 1, 
wherein said authentication means does not exe- 
cute the authentication process when said detec- 

10 tion means has detected an access attempt in the 
direction from said second network toward said first 
network. 

3. The home network system as recited in claim 1, 
15 wherein said control means controls connection, 

using VPN. 

4. The home network system as recited in claim 1, 
wherein said second network accommodates a plu- 

20 rality of home nodes of individual networks formed 
inside each home. 

5. The home network system as recited in claim 4, 
wherein said individual networks formed inside 

25 each home include Ethernet or IEEE1394. 

6. The home network system as recited in claim 1, 
wherein said authentication means executes said 
authentication process, using a telephone number 

30 or a device ID obtained from a wireless mobile de- 
vice. 

7. The home network system as recited in claim 1, 
wherein said storage means further stores informa- 

35 tion required for push-type distribution of informa- 
tion received across said first network to the home 
nodes over said second network. 

8. The home network system as recited in claim 7, 
40 wherein information to be distributed by the push- 
type distribution includes advertising or public rela- 
tions, information from a government office, disas- 
ters information, or emergency information. 

45 9. A connection control method in a home network 
system, including a second inward network con- 
necting to a first outside network, said connection 
control method comprising the steps of: 

50 detecting the direction of access between said 

first network and said second network; 
storing beforehand information required for ex- 
ecuting an authentication process; 
executing the authentication process, based on 

55 the information thus stored, upon the detection 

of an access attempt in the direction from said 
first network toward said second network; and 
controlling connection of an access attempt 
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from said first network toward said second net- 
work, according to the result of authentication. 



5 



10 



15 



20 



25 



30 



35 



40 



45 



50 



8 



EP 1 293 908 A1 




9 



EP 1 293 908 A1 



CO 
CO 



co 



LU 
> 

LU 
00 



o 

Q. 



CO 



o 



Q 
ZD 
< 



co' 



CO 
CO 



> 



o 



LU 
CO 



Csl 



CQ 



LU 
O 
O 

a: 

CD 



oo 

CO 



to 

CO 



<N 
CN 



O 



OO 

ZD 

Oh- 

<o 



CO 



o 

LU 
H- 

<. 

Ui~D 
O 

00 

>-z 

JO 
—I — 
<H- 

o< 
— -J 

£tJ 
h-< 
OH 
LUO0 
JZ 
LU — 



CM 



oo 



— a: 
cro 

SCO 
OZ 
LULU 
00 00 



CN 
CO 



LU 



(X 



ZD 

o 

OS 



CO 



cr ^ 
luo: 
>o 

uuh- 
co LU 



o 

CM 



oe -J 
300 

o=) 
ujo. 

a 
oz 



10 



EP 1 293 908 A1 



00 
CO' 







a. 








! a 




a. 





co* 



CO 

a 











UJ 










< 




CD 





CO 

CO * 







I— 








-J 




UJ 




J— 





CO 



QC 
O 
> 



CO 



> 
Q 



CO 
CO 



CO 



CO 



LU 

> 
a: 

UJ 

co 



CO 
CO 



Q 

< 



in 
co 



as 



Q 

or 
co 



o 



CM 
CQ 



UJ 

a 
a 

a: 

GQ 



CM 
CO 



oo 
>~< 
<^ 

3 

H-_J 



.CO 



Q 
UJ 
I— 
< 

UJ-D 
O 

CO 
JO 

-J— 
o< 

— — J 

l-< 

OH 
UJCO 



. CM 



co 



— en 
ceo 
aco 

UUUJ 

coco 



'CO 



luce 
>o 

LUH- 
00 UJ 



f— O 

OD 
LUQ. 

CO 

a 
oz 



11 



EP 1 293 908 A1 



F IG . 4 



C 



SECURITY SERVER STARTS 
CONNECTION PROCEDURE 



[ 0N ) 





S11 


DETECTS DIRECTION OF ACCESS 







IS ACCESS ATTEMPT 
OFFERED INWARD FROM 
THE OUTSIDE ? 



S12 



NO 



S16 



NO 



YES 



S13 



EXECUTES AUTHENT I CAT I ON 




REJECTS CONNECTION 



YES 



S15 



EXECUTES CONNECTION PROCESS 



C END ) 



12 



EP 1 293 908 A1 




13 



EP 1 293 908 A1 




14 



EP 1 293 908 A1 




15 



EP 1 293 908 A1 



INTERNATIONAL SEARCH REPORT 



International application No. 

PCT/JP01/08449 



A. CLASSIFICATION OF SUBJECT MATTER 

Int. CI 7 G06P 13/00, H04L 12/66, G06F 15/00 



According to International Patent Classification (IPC) or to both national classification and IPC 



B. FIELDS SEARCHED 



Minimum documentation searched (classification system followed by classification symbols) 
Int. CI 7 G06F 13/00, H04L 12/66, G06F 15/00 



Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 
Jitsuyo Shi nan Koho 1922-1996 Toroku Jitsuyo Shinan Koho 1994-2001 

Kokai Jitsuyo Shinan Koho 1971-2001 Jitsuyo Shinan Toroku Koho 1996-2001 



Electronic data base consulted during the international search (name of data base and, where practicable, search terms used) 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 


Citation of document; with indication, where appropriate, of the relevant passages 


Relevant to claim No. 


Y 


JP 11-88406 A (Toshiba Corporation) , 
3 0 March, 1999 (30.03.99), 

Par.Nos. [0002] - [0011] , [0024] , [0101] to [0107], [0223]; 
Fig. 1 (Family: none) 


1-9 


Y 


Ascii NT, Vol. 4, No. 2, February, 1999 
KAGA "Policy Base no Tougou-teki na Security Taisaku 
wo Kanou ni sum Fire Wall-1", page 180, especially, 
right column, lines 10-16 


1-9 


Y 


JP 11-175477 A (Casio Computer Co., Ltd.), 

02 July, 1999 (02.07.99), 

Full text; Figs. 1 to 8 

& EP 862104 A2 & CN 1193862 A 

& US 6108790 Al 


6 


Y 


JP 11-239169 A (Sumitomo Electric Industries, Ltd.), 

31 August, 1999 (31.08.99), 

Full text; Figs. 1 to 10 (Family: none) 


7,8 



I I Further documents arc listed in the continuation of Box C. See patent family annex. 



Special categories of cited <J 
' document defining the general state of the art which is not 
c on s id ered to be of particular relevance 
*E* earlier document but published on or after the International filing 
date 

'V document which may throw doubts on priority claim(s) or which is 
cited to establish the publication date of another citation or other 
special reason (as specified) 

'CT document referring to an oral disclosure, use, exhibition or other 
means 

V document published prior to the international filing date but later 



T later document published after the u 



J filing date or 



priority date end not in conflict with the application but cited to 
understand the principle or theory underlying the invention 
"X" document of particular relevance; the churned invention cannot be 
considered novel or cannot be considered to involve en inventive 
step when the document is taken alone 
"V document of particular relevance; the claimed invention cannot be 
considered to involve an inventive step when the document is 
combined with one or more other such documents, such 
combination being obvious to a person skilled in the art 
"A" document member of the same patent family 



Date of the actual completion of the international search 
04 December, 2001 (04.12.01) 


Date of mailing of the international search report 

11 December, 2001 (11.12.01) 


Name and mailing address of the ISA/ 

Japanese Patent Office 

Facsimile No. 


Authorized officer 
Telephone No. 



Form PCMS A/210 (second sheet) (July 1992) 



16 



